We have 5 usable external static IP addresses leased by our ISP: .49 to .53, where

.49 is assigned to the Juniper SSG20 firewall and NATed for 172.16.10.0/24

.50 is assigned to a windows box for web server and domain controller

.51 is assigned to another windows box with exchange server (domain:
mycompany1.com) mx record is pointing to 20x.xx.xxx.51

Currently there is a policy set for all SMTP incoming traffic addressed to .51 forward to the NATed address of the exchange server box (private IP: 172.16.10.194).

We can send and receive emails for both internal and external, but the gmail is saying mails from mycomany1.com is not sent from the same IP as the mx lookup however is from 20x.xx.xxx.49:

Received-SPF: neutral (google.com: 20x.xx.xxx.49 is neither permitted nor denied by
best guess record for domain of codemonkie@mycomapny1.com) client-ip=20x.xx.xxx.49;
Authentication-Results: mx.google.com; spf=neutral (google.com: 20x.xx.xxx.49 is
neither permitted nor denied by best guess record for domain of
codemonkie@mycomapny1.com) smtp.mail=codemonkie@mycomapny1.com

and the mx record in global dns space as well as in the domain controller .50 for mail.mycompany1.com is set to 20x.xx.xxx.51

My attempt to resolve the above issue is to

Update the mx record from 20x.xx.xxx.51 to 20x.xx.xxx.49

Create a new VIP for SMTP traffic addressed to 20x.xx.xxx.49 to forward to 172.16.10.194

After my changes incoming email stopped working, I believe it has something to do with the Juniper setting that SMTP addressed to .49 is not forwarded to 172.16.10.194

Also, I have been wondering is it mandatory to assign an external static IP address to the Juniper firewall?

1 Answer
1

Yes, you need a routable public address for your firewall's external interface. Your real problem is that you're doing inbound destination NAT by using VIPs and relying on the default source NAT for outbound traffic. Because of this, all traffic appears to be coming from the firewall's address.

What you're REALLY after here, is both a destination NAT for inbound traffic, and a source NAT for outbound traffic, also known as either static NAT or 1-to-1 NAT.

What you need to do, is create a MIP. Go to interfaces, click edit on your external interface, go to the MIP tab, and create an entry mapping that external address (51) to the mail server.

Now... this can get a little more tricky if say you need one external IP to be used to hit two different hosts. So let's say for .51 you were going to forward 80/443 to an exchange CAS server, but SMTP to a transport server. In that case you'd have to make explicit rules for both destination AND source address translation.

Also... you could just leave your existing settings alone and create a rule to permit SMTP traffic outbound from your mail server, and in that policy tell it to SNAT the traffic as coming from .51! You would have to place the rule above the one for your existing trust to untrust traffic.
–
SpacemanSpiffOct 22 '12 at 2:27

Thanks for the answer, we managed to set up a MIP using .51, however the same comment from google is still there but with the address changed to 51 instead. I think we need a PTR record for reverse lookup.
–
codemonkieOct 23 '12 at 16:39

You should turn on some logging and make certain the NAT is doing what its supposed to. If you didn't adjust your rule it may still be using the inteface IP and not the MIP IP
–
SpacemanSpiffOct 23 '12 at 20:54